手动 web 身份验证后验证 websocket 会话

Question

我在 SpringBoot 上使用带有 STOMP WebSocket 的 Spring Security。当我使用简单的登录表单时，websocket 上的身份验证在此配置下运行良好：

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/webjars/**", "/resources/**").permitAll()
        .antMatchers("/register").anonymous()
        .anyRequest()
            .fullyAuthenticated()
            .and()
        .formLogin()
            .loginPage("/login")
            .successHandler(customLoginSuccessHandler)
        .failureUrl("/login?error")
            .permitAll()
            .and()
        .csrf().disable()
            .logout().logoutSuccessHandler(customLogoutSuccessHandler);
}


@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {
@Override
protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
    messages
            .nullDestMatcher().authenticated()
            .simpTypeMatchers(CONNECT).authenticated()
            .simpSubscribeDestMatchers(Channel.SYSTEM_ERROR.value()).permitAll()
            .simpDestMatchers("/app/publish*").hasRole("USER")
            .simpSubscribeDestMatchers("/user/**", "/topic/**", "/system/*").hasRole("USER")
            .anyMessage().denyAll();
}

但是当我想在 RegisterController 中注册新用户后手动验证客户端时：

@RequestMapping(value = "/register", method = RequestMethod.POST)
public String signup(@Valid @ModelAttribute SignupForm signupForm, Errors errors) {
    if (errors.hasErrors()) {
        return SIGNUP_VIEW_NAME;
    }
    User user = signupForm.createAccount();
    try {
        userService.persist(user);
    } catch (EntityExistsException ex) {
        errors.rejectValue("login", "user.exists");
        return SIGNUP_VIEW_NAME;
    }
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user, null, Collections.singletonList(new SimpleGrantedAuthority("USER"))));

    return "redirect:/";
}

我遇到了 auth websocket 的问题。当我被重定向到 websocket 连接的页面时，我得到org.springframework.security.access.AccessDeniedException: Access is denied

Answer 1

所以。问题在于定义角色。在控制器中，当我定义new SimpleGrantedAuthority("USER") 时，它应该是"ROLE_USER"，因为 Spring 默认添加了 refix ROLLE_。当然，我们可以通过在 WebSecurity 配置中添加下一个来更改默认行为

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**", "/favicon.ico");
        web.expressionHandler(new DefaultWebSecurityExpressionHandler() {
            @Override
            protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, FilterInvocation fi) {
                WebSecurityExpressionRoot root = (WebSecurityExpressionRoot) super.createSecurityExpressionRoot(authentication, fi);
                root.setDefaultRolePrefix(""); //remove the prefix ROLE_
                return root;
            }
        });
    }

。是的，虚拟错误，但很常见。所以我把它放在这里